Security

Give your app's users a security experience that doesn’t feel like a hassle, and keep pace with the latest authentication techniques. Windows 8.1 offers new ways to authenticate and manage users, expanded support for signatures and certificates, and new capabilities for stored credentials.

Fingerprint authentication

Your app can now use a fingerprint scan to authenticate a user. Use biometric authentication to help protect an app from unauthorized use or to control access to specific pages or resources. To do this, use the UserConsentVerifier class in the Windows.Security.Credentials.UI namespace.

Your app should first verify that fingerprint authentication is an option on the user's device. To find out whether the device has a fingerprint reader, call the UserConsentVerifier.CheckAvailabilityAsync method. Even if a device supports fingerprint authentication, your app should still provide users with an option in Settings to enable or disable it. For more info about creating this setting, see Adding app settings.

WebAuthenticationBroker updates

The web authentication broker (represented by the WebAuthenticationBroker class) has been updated to automatically fill in existing credentials based on user consent. The credentials are stored in the Credential Locker. When an app needs to sign in to a resource using web authentication broker, if the broker finds an existing credential in the Credential Locker and the user has consented, the existing credential is used and the user is automatically signed in to the resource. For more information, see Web authentication broker.

Smart cards and Virtual Smart Cards

Your app can now communicate with smart card readers and authenticate with smart cards using APIs defined in the Windows.Devices.SmartCards namespace. The following classes drive the core usage scenarios for this feature:

The SmartCardReader class represents a smart-card reader device. Use the FindAllCardsAsync method to get info about all of the smart cards that are attached to the reader. Use the GetStatusAsync method to get the smart card reader's status (such as disconnected or ready).

The SmartCard class represents general info about a smart card. Use the GetStatusAsync method to get the smart card's status (such as disconnected or ready).

The SmartCardProvisioning class enables an app to configure a smart card, to get info about a configured smart card, and to create or delete a Trusted Platform Module (TPM) Virtual Smart Card. Use members such as the GetIdAsync and GetNameAsync methods to get a smart card's ID and minidriver name, respectively.

Credential Locker updates

We've updated the Credential Locker to improve your ability to store user credentials and then automatically supply them for the user when needed. Windows 8.1 includes these changes to the Credential Locker.

Identify a default credential when multiple credentials exist for a resource. The PasswordCredential.Properties collection now includes a Default property.

Determine when a credential was last used, in order to retire unused credentials. The PasswordCredential.Properties collection now includes a LastAccessed property.

App account settings

In Windows 8.1, the Settings contract has been updated to include account management. Now you can implement the Settings contract and enable your users to manage multiple account credentials.

For example, you may have an email client that manages emails from multiple servers. Likewise, you may have a social media app that aggregates content from numerous social media sites and services. You can use the Settings contract to simplify user access to credentials for all of these sites and services. Read more about the Settings contract at Adding app settings.

Selective wipe

Windows 8.1 introduces support for selective wipe, which enables you to identify folders and files on a user’s PC that can be revoked (and thereafter deleted) by a command from a server. This scenario is especially relevant for businesses and enterprises in cases when an employee’s PC is lost or stolen, or when an employee who kept company files on a personal device has left the company.

When adding a new file as app data, you can call the FileRevocationManager.ProtectAsync method to enroll the file in selective wipe. Selective wipe identifies the file by using an enterprise identity—typically a domain name. Here's a code example.

When accessing a file or folder protected by selective wipe, call the FileRevocationManager.GetStatusAsync method to retrieve the protection status for the item each time it is accessed. If the item status value returned is Revoked, delete the file.

Windows To Go updates

Windows 8 introduced the ability to create a Windows To Go workspace that is booted from a USB-connected external drive on PCs that meet the Windows 7 or Windows 8 certification requirements. A workspace can use the same image that enterprises use for their desktops and laptops, and can be managed the same way.
Windows 8.1 updates this feature to enable booting from a USB composite device with a storage and a smart card function.

Show:
Inherited
Protected

Was this page helpful?

Your feedback about this content is important.Let us know what you think.